Executive Summary:
OpenLDAP’s proxy service can allow LDAP operations to cross the boundaries between AD and OpenLDAP deployments. To demonstrate this proxy service, we walk through the steps to make AD’s cn=Users container, which by default contains all user objects, part of an OpenLDAP directory. To produce the examples in this article, I used CentOS 4.3, OpenLDAP 2.2.13, and AD running on Windows Server 2003 R2. Later in the article, I’ll show you a limitation in the commonly deployed OpenLDAP 2.2, which you can solve by installing OpenLDAP 2.3 on CentOS 4.3.
|
Solutions Snapshot
Problem:
You can’t access Active Directory
(AD) Schema via OpenLDAP.
Solution:
Use OpenLDAP’s proxy service to
connect to AD.
What You Need:
CentOS; OpenLDAP; AD running on
Windows Server 2003 R2
difficulty:3.5
SOLUTION steps:
1. Start slapd.
2. Configure slapd-ldap; restart
slapd and run ldapsearch.
3. Install OpenLDAP 2.3.
4. Modify pidfile and argsfile.
5. Restart slapd and run ldapsearch
again. |
Both Active Directory (AD) and Open-
LDAP play important roles in the
enterprise. In fact, within the same
company you’ll find the UNIX group using
OpenLDAP and the LAN and Windows
administrators using AD. However, most
people are unable to fully access the AD
schema via OpenLDAP.
OpenLDAP and AD can peacefully coexist—
the key is finding the best way to allow
LDAP operations to cross the boundaries
between AD and OpenLDAP deployments.
One way to make that happen is to use Open-
LDAP’s proxy service. To demonstrate this
proxy service, I’ll walk you through the steps
to make AD’s cn=Users container, which by
default contains all user objects, part of an
OpenLDAP directory.
Terms and
Versions
Before moving on, let’s define
terminology. First, an LDAP
server is actually what is
known as a Directory Service
Agent (DSA). Second, a DSA
manages either part or all of
a Directory Information Tree
(DIT). Several DSAs may be
deployed to manage an entire
DIT as well as to allow for replication
and high availability.
The portion of the DIT that a
DSA manages is known either
as a partition or database. I
use the term database.
To produce the examples in this article, I
used CentOS 4.3, OpenLDAP 2.2.13, and AD
running on Windows Server 2003 R2. Later
in the article, I’ll show you a limitation in the
commonly deployed OpenLDAP 2.2, which
you can solve by installing OpenLDAP 2.3
on CentOS 4.3.(For CentOS 4.3, I use the
RPMS found at dev.centos.org/centos/4/testing/
i386/RPMS/.) See the sidebar “Upgrading
OpenLDAP on CentOS,” for installation
instructions.
Starting the OpenLDAP
Server Process
The OpenLDAP server process is named
slapd, which stands for “stand-alone LDAP
daemon.” It provides almost all of the Open-
LDAP server functionality, including the ability
to accept connections from LDAP clients, process queries and updates, and implement
the ACLs that restrict access to confidential
information within the directory. Notably,
in OpenLDAP, replication is handled by
another process entirely and is beyond the
scope of this article.
Let’s start off with a sample slapd configuration
that brings up a basic DIT with no
ACLs or any other special capabilities. On the
OpenLDAP server, configuration starts with
the slapd.conf file shown in Listing 1. In this
configuration, slapd manages a database for
the directory tree dc=testcorp,dc=com.
To start slapd, type the following:
# service ldap start
and load the initial entries into the database.
To load the entries, first enter the information
from Listing 2 into a file named dir.
ldif. These entries will define a very simple
tree which has a suffix (aka root) of
dc=testcorp, dc=com and two branches that
are ou=People and ou=Groups. Now, load
the entries using ldapadd:
# ldapadd -x -h localhost -D cn=manager,dc=testcorp,
dc=com -W -f dir.ldif
Enter LDAP Password: <value-of-rootpw>
adding new entry “dc=testcorp,dc=com”
adding new entry “ou=People,
dc=testcorp,dc=com”
adding new entry “ou=Groups,
dc=testcorp,dc=com”
The –x option specifies that ldapadd should
use simple authentication instead of Simple
Authentication and Security Layer (SASL).
With simple authentication, the LDAP client
(in this case, ldapadd) sends the credentials
in plaintext. Even if you use LDAP over SSL
(LDAPS) or LDAP StartTLS, you’re still using
simple authentication, but the tunnel being
used for communication is encrypted (and
far more secure).
We can test that our entries loaded properly
by using ldapsearch
# ldapsearch -LLL -x -h localhost -b ‘dc=testcorp,dc=com’
which performs a query to
find all entries below the root
of the tree. Figure 1, page
48, shows the results. As
expected, ldapsearch returns
the three entries that we
originally imported via ldapadd. We are now
ready to begin working with referrals.
A Caveat to Using
Referrals
You saw how easy it is to view entries that
OpenLDAP manages by using a simple
ldapsearch command on our client—but
what about viewing entries that AD manages?
For that to happen, you need to direct either
the LDAP client or the LDAP server (i.e.,
OpenLDAP) to AD.
An obvious choice is to use referrals,
which is a way for a DSA to forward—or
refer—an LDAP request to another DSA.
However, while referrals are both powerful
and flexible (both for managers and application
developers), keep in mind an important
caveat: How a client handles a referral is
entirely dependent on implementation. For
example, OpenLDAP’s ldapsearch can chase
referrals when used with the -C option, but
only anonymously—ldapsearch doesn’t try to
authenticate against the second DSA.
If you did create a referral in OpenLDAP to
AD, ldapsearch (as well as other OpenLDAP
binaries such as ldapadd) would return output
containing the following: “In order to perform
this operation a successful bind must be
completed on the connection.” This statement
simply means that ldapsearch chased the
referral to a domain controller (DC) and the
operation was rejected because ldapsearch
didn’t try to authenticate.
Continue to Page 2
Previous
)
)
Register
I would love to see more articles like this that integrate Windows with other OS's.
With that in mind the name of this magazine is "WINDOWS IT Pro". While I'd like to think I can navigate a 'nix system pretty well your article leaves a lot of gaps in the low-level processes. Navigation of the web site for the CentOS rpm alone yields several pages of possible downloads with seemingly few distinctions made between them.
The sidebars too could be bolstered with details like instructions for downloading the file and transferring it to the unix system (i.e. with an smb mountpoint) and flags for installing the rpm packages (rpm -i filename.rpm).
Perhaps I represent the minority, but I'm reading this from a WINDOWS administrator perspective. I realize that simple Linux navigation (like the necessity of "su" 'ing after initial login) is arguably too detailed for inclusion, but the article left a lot of details to be desired.
I suppose the argument could be made that if one doesn't know how to log into a Linux system one shouldn't be integrating it with one's enterprise directory. However at a minimum any article proposing this integration should probably narrow down the field of possible downloads available out on (http://dev.centos.org/centos/4/testing/i386/RPMS/) for fear of endorsing the wrong one.
Thanks for a great article, but please don’t spare us the details.
Tallarico May 14, 2008 (Article Rating: